The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.

Thursday, July 31, 2008

The Province of Nova Scotia has for some time been consulting with inside stakeholders on the development of health information legislation. It has just launched a consultation, seeking input from interested parties. I haven't had a chance to look at the discussion paper yet, but I understand they've been using Ontario's PHIPA as the model:

For the past several years the Department of Health has been working with health sector partners on initiatives related to the protection and use of personal health information. As part of the evolution of standards, policy and law on these issues, .the Department is developing a Personal Health Information Act for the province.

The Department is pleased to present the Discussion Paper Personal Health Information Legislation for Nova Scotia (PDF: 70p). Throughout the Discussion Paper, key issues related to the collection, use, disclosure, retention and destruction of personal health information are discussed, and legislative provisions for a Personal Health Information Act are proposed.

Public and stakeholder input to this legislation is critical to its success. Any feedback on the issues raised in the paper, and on any issues related to the management of personal health information in Nova Scotia can be submitted through the online questionnaire, by e-mail to mailto:phia@gov.ns.caor by regular mail to the Personal Health Information Project, Department of Health, 1690 Hollis Street, P.O. Box 488 , Halifax , Nova Scotia , B3J 2R8

It's been a while since we've seen a published PIPEDA finding that wasn't from a high-profile case.

In this case, a bank refused to provide a customer with access to the appraisal conducted by the bank of the customer's property. The bank argued it was about the property and not about him. Further, they argued it was confidential commercial information. The Assistant Commissioner did not agree:

The Assistant Commissioner first examined the question of whether the residential property appraisal should be defined as personal information under section 2 of the Act. After considering both the bank’s views and the CBA’s, as well as this Office’s earlier deliberation on the same question in another finding, the Assistant Commissioner remained of the opinion that, since the property was in the complainant’s name, the information relating to the property, including its market value, was his personal information. He therefore had a right of access to it.

Friday, July 25, 2008

It's a busy week for privacy cases in the English courts. The media has widely reported on the case of Max Mosley, the Grand Prix boss, who has successfully sued the News of the World. The publication placed a hidden camera in a private residence and filmed Mosley in an intimate encounter. The paper suggested that he participated in a sadomasochistic orgy that attempted to recreate a Nazi death camp atmosphere.

In seeking to protect his privacy, the whole event has been thrown into the public arena. And consistent with other privacy cases, the quantum of damages is surprisingly low given the impact that this has had on Mosley.

LONDON — In a ruling with potentially wide implications for press freedom in Britain, a judge ruled Thursday that a tabloid newspaper breached the privacy of Max Mosley, the overseer of grand prix motor racing, when it published an article in March claiming that he had participated in a sadomasochistic “orgy” with a Nazi theme.

The judge, Sir David Eady, awarded Mr. Mosley, 68, damages equivalent to about $120,000 and legal costs estimated to be at least $850,000 in his lawsuit against The News of the World.

The ruling upheld the central arguments by Mr. Mosley and his lawyers: that there had been no Nazi theme to the five-hour sex session in an apartment in the Chelsea district of London that was secretly filmed by the newspaper, and no issue of public interest in its decision to splash the article on its front page and post video on its Web site.

“I found that there was no evidence that the gathering of March 28, 2008, was intended to be an enactment of Nazi behavior or adoption of any of its attitudes,” the judge wrote.

He added that Mr. Mosley had a “reasonable expectation” of privacy for sexual activities that took place on private premises and that did not involve violations of the criminal law.

“There was no public interest or other justification for the clandestine recording, for the publication of the resulting information and still photographs, or for the placing of the video extracts on The News of the World Web site — all of this on a massive scale,” the judge said.

But he denied Mr. Mosley the “punitive damages” he had sought, which could have amounted to millions of dollars. The damage done to Mr. Mosley’s reputation by “the embarrassing personal information” disclosed by the newspaper “cannot be mitigated by simply adding a few noughts to the number first thought of,” the judge said.

Outside the court, Mr. Mosley said he was delighted with the ruling, which he described as “devastating” to The News of the World.

“It demonstrates that their Nazi lie was completely invented and had no justification,” he said. “It also shows that they had no right to go into private premises and take pictures and film of adults engaged in activities which are no one’s business but those of the people concerned.”

The ruling was one of several by Justice Eady and other judges in recent years in privacy cases against British newspapers under a provision of the European Convention on Human Rights. Some legal experts say the rulings have shifted the balance in Britain in favor of celebrity plaintiffs and against newspapers and other media organizations in invasion-of-privacy cases.

Justice Eady, in his finding, said his ruling should not be considered “a landmark case,” but rather “the application to rather unusual facts” in the Mosley case of privacy principles that had been developing in British court judgments in recent years. Still, the ruling caused a stir among lawyers fighting for press freedoms, some of whom said it was a bellwether for a new, more restrictive era of news media coverage of people in the public domain.

Other lawyers cautioned against alarmism, saying British courts would continue to weigh two competing provisions in the European rights convention — Article 8, establishing a right of privacy, and Article 10, protecting press freedoms — and that it was too early to know where the lasting balance would be struck.

“One lesson it teaches is that public figures can have a private life,” said Desmond Browne, a barrister who has represented some of the plaintiffs in headline-making privacy cases.

Editors of some of Britain’s more serious newspapers also were wary about drawing instant conclusions about where press law in Britain was headed.

Roger Alton, editor of The Independent, a newspaper known for the rigor of its investigative journalism, said he was not too troubled by the ruling.

“It’ll affect kiss-and-tell stories,” Mr. Alton told the British Broadcasting Corporation. “But it’s not a landmark. It’s not going to set things up in a completely different way.”

But Colin Myler, editor of The News of the World, said the judgment was based on precedents established by “judges in Strasbourg,” seat of the European Court of Human Rights, and that the issues involved had never been addressed by Britain’s Parliament. “As a result, our media are being strangled by stealth,” he said.

For Mr. Mosley, success in the case represented at least a partial vindication of what amounted to a gamble. Rather than resigning in shame, as have many well-known figures caught in sex scandals, Mr. Mosley chose another route. He admitted to a passion for sadomasochism, which he told the court had continued for 45 years, and discussed, from the witness box, details of what had occurred in the Chelsea apartment.

But the aspect of the article that he, and many of his detractors in the world of motor racing and beyond, considered the most damaging was the claim that the session involved a conscious effort to recreate the atmosphere of a Nazi death camp.

The potential damage to Mr. Mosley was linked, inevitably, to the fact that he is the son of Sir Oswald Mosley, leader of Britain’s National Union of Fascists in the 1930s, whose secret marriage to Mr. Mosley’s mother, Diana, took place at the home of the Nazi propaganda chief Joseph Goebbels in 1936, with Hitler as guest of honor.

In court, lawyers for The News of the World said they based their claim of a Nazi theme, in part, on the use of commands in guttural German or German-accented English by Mr. Mosley and the women involved. But Mr. Mosley and four of the five women involved maintained that what they intended in their role-playing was to recreate a generic prison scene, not a Nazi death camp.

The case relates to the misuse of private information and defamation. The defendant in this case had set up a false Facebook profile in the name of the plaintiff and established a Facebook group that was, shall we say, not flattering of the plaintiff. The court found in favour of the defendant on both claims.

What's additionally interesting is the detail with which the Court reviews the logging data generated by Facebook and provided to the Court. The case is an interesting read for privacy issues, but also is a good chance to look under the hood of Facebook, forensically speaking.

The Canadian IT Law Association's annual conference is in Halifax this year. In addition to famous Maritime hospitality, attendees can expect to learn the latest in IT, IP and privacy law. The brochure is online here.

It should be great, and I'm not just saying that because I'm the conference co-chair. I've gone to the last six conferences and it is consistently the best of its class.

Wednesday, July 23, 2008

This morning's Globe & Mail ran a story about an apparent connection between a rash of credit card fraud and the check-in kiosks at Toronto's Pearson International Airport. The Airport Authority has said they've checked them out and think all is well:

An investigation of suspected credit-card fraud at Toronto's Pearson airport is now concentrating on the security of its 150 self-service check-in kiosks.

In recent months, financial institutions that issue credit cards spotted isolated fraud patterns that appeared to stem from use of the cards in conjunction with getting boarding passes at the Pearson kiosks, according to sources.

While the investigation is in the early stages, it is currently focused on the kiosks, where passengers use passports, frequent-flier cards, reservation numbers, names, and/or credit card data to identify themselves for flights on any one of 13 airlines. It is not known whether any information has actually been stolen or otherwise gone astray.

Some members of the financial industry are very concerned because Pearson is Canada's busiest airport, with 31.5 million passengers travelling through it last year.

One person familiar with the investigation said the fact that personal data at airports might not be secure “should send shudders through every airport traveller.” ...

Monday, July 21, 2008

The official policy is something like: At Mailinator, THERE IS NONE. Expect that any email you send or have sent here can be viewed by anyone. Mailinator/ManyBrain does NOT ask, require or even want any of your personal information. This service is not much different than the existing Usenet; anything you put out there is world-viewable. Keep that in mind.

So if the government issued a subpeona to Mailinator to divulge emails or logs, you'd rat me out?

Holy crap, yes. I'm not going to jail for you, I have a boyish face and very (very) supple skin.

That said, Mailinator keeps very little for any length of time. Mailinator can be a useful privacy tool.

Privacy is a serious issue, and we want to be clear. We think Mailinator can provide pretty decent privacy, and we want to keep providing that and even improve it, but we can't promise it. A promise like that would require lawyers, money, and probably guns - and since we provide Mailinator for free, we don't have any of those.

This was forwarded to me by a friend, who I expect has better things to do than ferret out that most elusive creature: the funny privacy statement.

Sunday, July 20, 2008

The local Halifax paper is running an AP story about the tough choices that custodians of personal information are sometimes called upon to make. After a young girl went missing, the police showed up at the public library demanding to take the public access computers that the girl had apparently used to communicate on MySpace. The librarian stood her ground and demanded that the police get a warrant. They did. Here's the full story:

RANDOLPH, Vt. — Children’s librarian Judith Flint was getting ready for the monthly book discussion group for eight and nine-year-olds on Love That Dog when police showed up.

They weren’t kidding around: Five state police detectives wanted to seize Kimball Public Library’s public access computers as they frantically searched for a 12-year-old girl, acting on a tip that she sometimes used the terminals.

Flint demanded a search warrant, touching off a confrontation that pitted the privacy rights of library patrons against the rights of police on official business.

"It’s one of the most difficult situations a library can face," said Deborah Caldwell-Stone, deputy director of intellectual freedom issues for the American Library Association.

Investigators obtained a warrant about eight hours later, but the June 26 standoff in the 105-year-old, red brick library on Main Street frustrated police and had fellow librarians cheering Flint.

"What I observed when I came in were a bunch of very tall men encircling a very small woman," said the library’s director, Amy Grasmick, who held fast to the need for a warrant after coming to the rescue of the 4-foot-10 Flint.

Library records and patron privacy have been hot topics since the passage of the U.S. Patriot Act after the Sept. 11, 2001, terror attacks.

Library advocates have accused the government of using the anti-terrorism law to find out, without proper judicial oversight or after-the-fact reviews, what people research in libraries.

But the investigation of Brooke Bennett’s disappearance wasn’t a Patriot Act case.

"We had to balance out the fact that we had information that we thought was true that Brooke Bennett used those computers to communicate on her MySpace account," said Col. James Baker, director of the Vermont State Police.

"We had to balance that out with protecting the civil liberties of everybody else, and this was not an easy decision to make."

Brooke, from Braintree, vanished the day before the June 26 confrontation in the children’s section of the tiny library.

Investigators went to the library chasing a lead that she had used the computers there to arrange a rendezvous.

Brooke was found dead July 2.

An uncle, convicted sex offender Michael Jacques, has since been charged with kidnapping her.

Authorities say Jacques had gotten into her MySpace account and altered postings to make investigators believe she had run off with someone she met online.

Flint was firm in her confrontation with the police.

"The lead detective said to me that they need to take the public computers and I said ‘OK, show me your warrant and that will be that,’ " said Flint, 56. "He did say he didn’t need any paper.

"I said ‘You do.’ He said ‘I’m just trying to save a 12-year-old girl,’ and I told him ‘Show me the paper.’"

Cybersecurity expert Fred H. Cate, a law professor at Indiana University, said the librarians acted appropriately.

"If you’ve told all your patrons ‘We won’t hand over your records unless we’re ordered to by a court,’ and then you turn them over voluntarily, you’re liable for anything that goes wrong," he said.

Project description: There is a surprising lack of Canadian research to date on the development of camera surveillance, and the proliferation of surveillance cameras in Canada is occurring without enough oversight or public debate. This project will outline Canadian trends in camera surveillance in public and private spaces by analyzing documentary sources and through interviews with key stakeholders. As part of the project, a final research report will be presented at the International Conference of Data Protection Commissioners in Strasbourg, France (Sept. 2008).

Something like this is sorely needed as police forces and others push for more surveillance of public places, while research in other countries suggest that it just moves crime from one area to another.

Thursday, July 17, 2008

The Supreme Court of Canada has just handed down its decision in Canada (Privacy Commissioner) v. Blood Tribe Department of Health, which was a question of whether the Privacy Commissioner could review documents to determine whether claims of privilege have been properly applied. The unanimous Court, on appeal from the Federal Court of Appeal, determined that she cannot.

Following her dismissal, an employee asked to have access to her personal employment information because she suspected that the employer had improperly collected inaccurate information and used it to discredit her before its board. The employer denied the request, and the employee filed a complaint with the Privacy Commissioner seeking access to her personal file. The Commissioner requested the records from the employer in broad terms. All records were provided except for those over which the employer claimed solicitor‑client privilege. The Commissioner then ordered production of the privileged documents pursuant to s. 12 of the Personal Information Protection and Electronic Documents Act (“PIPEDA”), which confers the powers to compel the production of any records “in the same manner and to the same extent as a superior court of record” and to “receive and accept any evidence and other information . . . whether or not it is or would be admissible in a court of law”. The employer applied for judicial review of the Commissioner’s decision. The reviewing judge determined the Commissioner was empowered to compel production of documents over which solicitor‑client privilege was claimed in order to effectively complete her statutory investigative role. The Federal Court of Appeal set aside the decision of the reviewing judge and vacated the Commissioner’s order for production of records.

Held: The appeal should be dismissed.

Solicitor‑client privilege is fundamental to the proper functioning of our legal system. The complex of rules and procedures is such that, realistically speaking, it cannot be navigated without a lawyer’s expert advice. However, experience shows that people who have a legal problem will often not make a clean breast of the facts to a lawyer without an assurance of confidentiality “as close to absolute as possible”. Without that assurance, access to justice and the quality of justice in this country would be severely compromised. It is in the public interest that the free flow of legal advice be encouraged. [9]

When the appropriate principles of statutory interpretation are applied to the general language of PIPEDA, the right of the individual or organization that is the target of the complaint to keep solicitor‑client confidences confidential must prevail. The Commissioner is an officer of Parliament vested with administrative functions of great importance, but she does not, for the purpose of reviewing solicitor‑client confidences, occupy the same position of independence and authority as a court. It is well established that general words of a statutory grant of authority to an office holder, including words as broad as those contained in s. 12 of PIPEDA, do not confer a right to access solicitor‑client documents, even for the limited purpose of determining whether the privilege is properly claimed. That role is reserved to the courts. Express words are necessary to permit a statutory official to “pierce” the privilege. Such clear and explicit language does not appear in PIPEDA. [1-2]

An adjudication of a claim of privilege by the Commissioner, who is an administrative investigator not an adjudicator, would be an infringement of the privilege. Client confidence is the underlying basis for the solicitor‑client privilege, and infringement must be assessed through the eyes of the client. To a client, compelled disclosure to an administrative officer, even if not disclosed further, would constitute an infringement of the confidentiality. The objection is all the more serious where, as here, there is a possibility of the privileged information being made public or used against the person entitled to the privilege. Furthermore, in pursuit of its mandate, the administrative officer may become adverse in interest to the party whose documents it wants to access. Not only may it take the resisting party to court but it may decide to share compelled information with prosecutorial authorities without court order or the consent of the party from whom the information was compelled. [20‑21] [23]

Here, the only reason the Commissioner gave for compelling the production and inspection of the documents in this case is that the employer indicated that such documents existed. She does not claim any necessity arising from the circumstances of this particular inquiry. The Commissioner is therefore demanding routine access to such documents in any case she investigates where solicitor‑client privilege is invoked. In the Commissioner’s view, piercing the privilege would become the norm rather than the exception in the course of her everyday work. Even courts will decline to review solicitor‑client documents to adjudicate the existence of privilege unless evidence or argument establishes the necessity of doing so to fairly decide the issue. [17]

The Commissioner has not made out a case that routine access to solicitor client confidences is necessary to achieve the ends sought by PIPEDA. There are other less intrusive remedies. Firstly, she may, at any point in her investigation, refer a question of solicitor‑client privilege to the Federal Court under s. 18.3(1) of the Federal Courts Act. Secondly, within the framework of PIPEDA itself, the Commissioner has the right to report an impasse over privilege in her s. 13 report and, with the agreement of the complainant, bring an application to the Federal Court for relief under s. 15. The court is empowered, if it thinks it necessary, to review the contested material and determine whether the solicitor‑client privilege has been properly claimed. This procedure permits verification while preserving the privilege as much as possible. [31] [33‑34]

I don't think I can take any credit for this next move, but I'm sure the loud outcry has had an influence: Google and Viacom have agreed to anonymise the data using a one-way function so that the actual IP addresses cannot be reverse-engineered and Viacom has agreed to not even try. The stipulation filed with the court is here. Extract:

IT IS HEREBY STIPULATED AND AGREED, by and between the undersigned
counsel of record:

1. Substituted Values: When producing data from the Logging Database
pursuant to the Order, Defendants shall substitute values while preserving uniqueness for
entries in the following fields: User ID, IP Address and Visitor ID. The parties shall
agree as promptly as feasible on a specific protocol to govern this substitution whereby
each unique value contained in these fields shall be assigned a correlative unique
substituted value, and preexisting interdependencies shall be retained in the version of the
data produced. Defendants shall promptly (no later than 7 business days after execution
of this Stipulation) provide a proposed protocol for this substitution. Defendants agree to
reasonably consult with Plaintiffs’ consultant if necessary to reach agreement on the
protocol.

2. Non-Circumvention: The parties agree that they shall not engage in any
efforts to circumvent the encryption utilized pursuant to Paragraph 1 this Stipulation.
This Paragraph does not limit in any way any party’s rights under Paragraph 8 below.

Tuesday, July 15, 2008

In terms of personal data that was captured by a healthcare company while
a patient in Canada, and relayed to another city in Canada for analysis, further
use, etc., does that patient data have to remain in Canada ? or is it allowed to
traverse the US border at any time during its journey across the continent ?
My concern is that communication networks don't seem to be restricted to
intra-Canada operation or due to congestion or failure, most have to use large
data highways that may cross over into the United States.

Under PIPEDA, is patient or personal data limited to just traverse within Canada ?

In Canada, there are no restrictions on the export of personal information except for personal information that is subject to the Freedom of Information and Protection of Privacy Acts of Alberta, British Columbia and Nova Scotia, and the equivalent in Quebec. Each of those provinces have enacted laws in response to the USA Patriot Act. The Patriot Act gives American law enforcement with much easier access to information, including personal information. The laws in these provinces don't deal with information in transit, but talk about the storage and access to that information. For example, from Nova Scotia's PIIDPA:

5 (1) A public body shall ensure that personal information in its custody or under its control and a service provider or associate of a service provider shall ensure that personal information in its custody or under its control is stored only in Canada and accessed only in Canada, unless...

While there is no caselaw on this issue, I doubt that any of the privacy regulators of those provinces or the courts would find a contravention of this law if data packets containing personal information were routed through the United States on their way between two points in Canada. The information may be intercepted while in transit, but there users have little control over how this data travels. For example, a traceroute function from my home computer to ubc.ca shows that most of the data travels through the US:

Tracing route to ubc.ca [64.40.111.228] over a maximum of 30 hops:

1 2 ms 1 ms 1 ms [REDACTED]

2 20 ms 9 ms 9 ms [REDACTED]

3 17 ms 12 ms 10 ms [REDACTED]

4 11 ms 8 ms 8 ms hlfx-br1.eastlink.ca [24.222.79.205]

5 18 ms 28 ms 18 ms te-3-1.car2.Boston1.Level3.net [4.79.2.89]

6 22 ms 19 ms 18 ms ae-2-5.bar2.Boston1.Level3.net [4.69.132.250]

7 19 ms 19 ms 22 ms ae-0-11.bar1.Boston1.Level3.net [4.69.140.89]

8 46 ms 54 ms 49 ms ae-5-5.ebr1.Chicago1.Level3.net [4.69.140.94]

9 44 ms 52 ms 39 ms ae-68.ebr3.Chicago1.Level3.net [4.69.134.58]

10 73 ms 72 ms 70 ms ae-3.ebr2.Denver1.Level3.net [4.69.132.61]

11 99 ms 90 ms 90 ms ae-2.ebr2.Seattle1.Level3.net [4.69.132.53]

12 90 ms 89 ms 89 ms ae-22-52.car2.Seattle1.Level3.net [4.68.105.35]

13 90 ms 89 ms 88 ms unknown.Level3.net [64.154.178.134]

14 93 ms 91 ms 102 ms p2-1.pr0.yvrx.hgtn.net [66.113.197.5]

15 93 ms 93 ms 91 ms r1-hgtn.netnation.com [64.40.127.254]

16 102 ms 95 ms 93 ms itservices.ubc.ca [64.40.111.228]

Trace complete.

This leads to the question of whether your information is safe from interception during transit through the US. It's really not safe from interception at any point on the internet. At each point above, the signals can be intercepted. There was recent speculation that a collaboration between AT&T the National Security Agency allowed national security organs of the US to vacuum international internet and telco traffic from at least one AT&T facility. (See: EFF's class action against AT&T.) Do they have the tools to single out particular traffic? Probably.

So what to do? If sensitive information is being transferred between two points on the internet, it should be encrypted and sent through a secure "tunnel".

It might be reassuring, then, that companies have largely pledged to safeguard these repositories of data about you.

But a recent federal court ruling ordering the disclosure of YouTube viewership records underscores the reality that even the most benevolent company can only do so much to guard your digital life: All their protections can vanish with one stroke of a judge's pen.

"Companies have a tremendous amount of very sensitive data on their customers, and while a company itself may treat that responsibly ... if the court orders it be turned over, there's not a lot that the company that holds the data can do," said Jennifer Urban, a law professor at the University of Southern California.

In the past, court orders and subpoenas have generally been targeted at records on specific individuals. With YouTube, it's far more sweeping, covering all users regardless of whether they have anything to do with the copyright infringement that Viacom Inc., in a $1 billion lawsuit, accuses Google Inc.'s popular video-sharing site of enabling.

It's a scenario privacy activists have long warned about.

"What we're seeing is (that) the theoretical is becoming real world," said Lauren Weinstein, a veteran computer scientist. "The more data you've got, the more data that's going to be there as an attractive kind of treasure chest (for) outside parties."

Last week, Stanton authorized full access to the YouTube logs -- which few users even realize exist -- after Viacom and other copyright holders argued that they needed the data to prove that their copyright-protected videos for such programs as Comedy Central's "The Daily Show with Jon Stewart" are more heavily watched than amateur clips.

"This decision makes it absolutely clear that everywhere we go online, we leave tracks, and every piece of information we access online leaves some sort of record," Urban said. "As consumers, we should all be aware of the fact that this sensitive information is being collected about us."

Mark Rasch, a former Justice Department official who is now with FTI Consulting Inc., said the ruling could open the floodgates for additional disclosures.

Though lawyers have known to seek such data for years, Rasch said, judges initially hesitant about authorizing their release may look to Stanton's ruling for affirmation, even though U.S. District Court rulings do not officially set precedence.

The YouTube database includes information on when each video gets played. Attached to each entry is each viewer's unique login ID and the Internet Protocol, or IP, address for that viewer's computer -- identifiers that, while seemingly anonymous, can often be traced to specific individuals, or at least their employers or hometowns.

Elsewhere, search engines such as Google and Yahoo Inc. keep more than a year of records on your search requests, from which one can learn of your diseases, fetishes and innermost thoughts. E-mail services are another source of personal records, as are electronic health repositories and Web-based word processing, spreadsheets and calendars.

One can reassemble your whereabouts based on where you've used credit cards, made cell phone calls or paid tolls or subway fares electronically. One can track your spending habits through loyalty cards that many retail chains offer in exchange for discounts.

Though companies do have legitimate reasons for keeping data -- they can help improve services or protect parties in billing disputes, for instance -- there's disagreement on how long a company truly needs the information.

The shorter the retention, the less tempting it is for lawyers to turn to the keepers of data in lawsuits, privacy activists say.

With some exceptions in banking, health care and other regulated industries, requests are routinely granted.

Service providers regularly comply with subpoenas seeking the identities of users who write negatively about specific companies, at most warning them first so they can challenge the disclosure themselves. The music and movie industries also have been aggressive about tracking individual users suspected of illegally downloading their works.

Law enforcement authorities also turn to the records to help solve crimes.

The U.S. Justice Department had previously subpoenaed the major search engines for lists of search requests made by their users as part of a case involving online pornography. Yahoo, Microsoft Corp.'s MSN and Time Warner Inc.'s AOL all complied with parts of the legal demand, but Google fought it and ultimately got the requirement narrowed.

In the YouTube case, Viacom largely got the data it wanted.

Google has said it would work with Viacom on trying to ensure anonymity, and Viacom has pledged not to use the data to identify individual users to sue. The YouTube logs will also likely be subject to a confidentiality order.

But privacy advocates warn that there's no guarantee that future litigants will be as restrained or that data released to lawyers won't inadvertently become public -- through their inclusion as an attachment in a court filing, for instance.

And retailers, government agencies and others are regularly announcing that personal information, stored without adequate safeguards, is being stolen by hackers or lost with laptops or portable storage drives.

"You just never know," said Steve Jones, an Internet expert at the University of Illinois at Chicago. "There are some circumstances under which what seems to be private information is going to be shared with a third party, and the court says it's OK to do that."

TORONTO, July 10 /CNW/ - Ontario Information and Privacy Commissioner Ann
Cavoukian is urging Google to appeal the recent ruling of U.S. District Court
Judge Louis Stanton, requiring the disclosure of YouTube users' information to
Viacom. YouTube, a popular website, is owned by Google.

In a letter to Sergey Brin, Google's President of Technology, the
Commissioner emphasized her deep concerns about the privacy implications of
the ruling, which she was asked to outline earlier this week on Canada AM.

Commissioner Cavoukian said "I was astounded to learn that Google had
been ordered to disclose certain YouTube information, which includes users'
login IDs and IP addresses, for use in Viacom's copyright infringement lawsuit
against YouTube." The Commissioner felt that Judge Stanton had "failed to
consider that user login IDs and video viewing habits can reveal a great deal
of sensitive personal information."

In response to suggestions that the data be "anonymized" before its
release to Viacom's legal counsel, the Commissioner noted that it is possible
to re-identify individuals by linking their data with publicly available
personal information, such as that found in telephone directories. "Simply
stripping certain data fields from a database is not sufficient to safeguard
the privacy of individuals" warned the Commissioner.

Despite the Judge's associated protection order which attempts to limit
the authorized uses of YouTube users' information by Viacom, this does not
eliminate the Commissioner's concerns. Companies simply cannot guarantee that
information, once obtained, will not be subject to unauthorized use or
disclosure. "Witness the example of identity theft" she noted. "The majority
of instances of identity theft result from insider abuse."

"While I have sympathy for the rights of intellectual property holders,
businesses should not rely on the surveillance of consumers to protect their
copyright interests. It is not acceptable to allow copyright enforcement to
come at the expense of users' privacy."

The full text of the letter to Google may be found on the Commissioner's
website at www.ipc.on.ca in the What's New section.

The police in Edmonton, Alberta are proposing to place surveillance cameras on the city's popular strip. Frank Work, the Information and Privacy Commissioner of Alberta is not impressed. And in case you were wondering if this is about perceptions, here you have it directly from Sgt. Gary Godziuk, with the city's public safety compliance team:

"The cameras will contribute to the overall perception of public safety and the mitigation of crime and disorder."

It appears clear from the decision that Viacom, et al. were ostensibly not looking for information about users of Google Video and YouTube, but this will certainly be the side-effect. In the preliminary motion, Viacom was seeking a number of orders from the court to help it build its billion dollar case for copyright infringement against the video sites. Because the vast majority of the content is uploaded by users, Viacom is going after YouTube on the basis that they assist and encourage the violation of copyright by users and are therefore responsible financially for it. The reason put forward by Viacom for seeking the full user logs was to compare the viewership (aka hits) of allegedly pirated content against viewership of non-pirated materials. If they can show that allegedly pirated content is more popular, the reasoning goes, they can show that YouTube has a financial interest in allowing pirated content on the site.

Google attempted to argue to the Court that handing over the raw logs would be intrusive of privacy for the sites' users. Unfortunately for the users, the Court didn't put much weight in these arguments as it referred to Google's past positions that IP addresses cannot identify individuals:

Defendants argue that the data should not be disclosed
because of the users’ privacy concerns, saying that
“Plaintiffs would likely be able to determine the viewing
and video uploading habits of YouTube’s users based on the
user’s login ID and the user’s IP address” (Do Decl. ¶ 16).

But defendants cite no authority barring them from
disclosing such information in civil discovery proceedings,
and their privacy concerns are speculative. Defendants do
not refute that the “login ID is an anonymous pseudonym
that users create for themselves when they sign up with
YouTube” which without more “cannot identify specific
individuals” (Pls.’ Reply 44), and Google has elsewhere
stated:

We . . . are strong supporters of the idea that
data protection laws should apply to any data
that could identify you. The reality is though
that in most cases, an IP address without
additional information cannot.

So why does Viacom need the full logs? Because they need to try to determine unique viewership of the content. They need a way to distinguish one viewer from another.

Do they need full IP addresses? I don't think so. While we are talking about terabytes of data, it would be trivial to run all the logs through a software routine that would use a "one way hash" to make each IP address unique while not disclosing the IP address itself.

Why the big deal? While Viacom obtained the information for one purpose (to build its case against YouTube), it may be able to use the information for other purposes. At least in Canada, that would be covered by the implied undertaking rule that would require court permission before using it for any other purpose. But the bigger deal is the chilling effect on viewers. Casual web surfers may know that somewhere their digital footprints are being recorded, but they don't spend a lot of time thinking about it. This case should make internet users think carefully about where they are surfing, what they are viewing and the fact that once personal information is recorded and retained, it will be available for all kinds of secondary uses. Some of these secondary uses, such as litigation or criminal investigations, are beyond their control and there is no opt-out. The Viacom order includes the personal information of innocent viewers who were only viewing public domain or properly licensed content. Those logs include my IP addresses, which includes information about what I've viewed and what my kids have viewed. I'm sure that it includes your IP address too.

What to do? If you are an online service provider, don't create logs. If you create logs, don't keep them. It's that simple. (If you are about to be served with a subpoena, don't delete them. It's too late and you'll be hit with accusations of spoliation.) If you are an internet user, look into Tor.

Monday, July 07, 2008

The UK Information Commissioner is calling for a complete overhaul of privacy/data protection in Europe. Think-tank RAND Europe has been commissioned to review the whole state of affairs and report back in April 2009. Watch this space for the results ...

... The current European Directive is "no longer fit for purpose" and European Data Protection law "needs to be modernised to meet the technological and social challenges of the 21st century," the ICO has said.

“European data protection law is increasingly seen as out of date, bureaucratic and excessively prescriptive, said UK Information Commissioner Richard Thomas at the Privacy Laws and Business conference in Cambridge.

"It is showing its age and is failing to meet new challenges to privacy, such as the transfer of personal details across international borders and the huge growth in personal information online. It is high time the law is reviewed and updated for the modern world."

Saturday, July 05, 2008

According to a recent study conducted by the Ponemon Institute, 10,000 laptops are lost/stolen each week in US airports. While the commentary on this study talks about confidential business information, I am confident that the majoriy of these laptops also contain personal information. See: PC World - Business Center: Laptops Lost Like Hot Cakes at US Airports.

Thursday, July 03, 2008

The Information and Privacy Commissioner of Saskatchewan, Gary Dickson QC, has released his annual report today. Here is the "Quick Overview":

A Quick Overview

This is my fifth Annual Report as
Saskatchewan’s first full-time
Commissioner.

Some good progress has been achieved
in terms of access to information and
privacy compliance in a number of areas.
In other areas, not enough has been
achieved.

My intention is that this Annual Report
provide both some perspective on the last
four and one-half years and an outline of
the challenges ahead for this office.
The people of Saskatchewan deserve an
access and privacy regime that is both
robust and effective.

My commentary in this Annual Report
needs to be qualified by the recognition
that achieving such a regime captures
much more than just the activities of our
oversight office. It entails other features
such as:

Effective and up-to-date legislation;

Strong network of FOIP Coordinators
in all government institutions and local
authorities;

Comprehensive training program for
all new public sector employees and
contractors;

System of
in-service
training for
all existing
public sector employees; and

Relatively simple process to access
one’s own personal information and to
correct errors in that information;

Full and timely response to any
access requests;

Relatively simple process to make a
complaint that privacy requirements
for a public body have not been met;

A senior, properly trained and qualified
FOIP Coordinator for the relevant
public body who can assist the citizen
to exercise the rights created by our
three access and privacy laws; and

Reviews by our office to be completed
in majority of cases within five months.

Two central themes have crystallized
since I started in November 2003.

1. One is the largely unfinished state of
our access and privacy regime despite
the fact that FOIP is 16 years old.

2. The other is the burgeoning demand
by Saskatchewan citizens and
organizations for assistance from us in
coping with what is seen as a
fragmented, confusing and underresourced
trio of laws.

This includes demand from public
sector employees who want to do the
right thing and who do wish to ensure
their organizations meet access and
privacy requirements.

Our last four and one-half years have
seen significant increases in almost all
areas of service. Formal reviews of
access decisions and privacy complaints
received by our office for the 2007-2008
fiscal year are 40% higher than the
previous fiscal year. Requests to our
office for summary advice are up 29%.
Visitors to our website are up 20% over
the previous year.

This increase in demand for assistance
may be at least partly attributable to a lack
of tools and resources available to those
who need them.

That demand for service also reflects new
developments that have dramatically
sharpened the focus on personal health
information, technical threats to privacy
and the demand for transparent and
accountable government at all levels.

The OIPC is supported by the Legislative
Assembly Office that provides an array of
services. We appreciate and rely on
those resources.

I am very proud of what our small office
has accomplished in the last four and onehalf
years. The credit goes to the
wonderful team of men and women in this
office led by Diane Aldridge, Director of
Compliance and Pamela Scott, Manager
of Administration.

This is some pretty scary stuff. Not only has Viacom (shame on Viacom) demanded that Google hand over the records of all users who viewed certain YouTube videos (yup, viewed not uploaded) but a Judge has actually ordered this. Perhaps not surprisingly, Google's argument that IP addresses are not personal information has been used against its arguments that handing over this information would be unduly intrusive of personal privacy. See: Judge Orders YouTube to Give All User Histories to Viacom Threat Level from Wired.com.

Wednesday, July 02, 2008

When I give presentations on Canadian privacy law, the number one question I get -- without exception -- is whether a retailer can ask for your phone number or postal code at the point of sale. Sometimes I'm asked about asking for ID when making returns. According to Canada.com (I haven't been able to find the survey itself), the Privacy Commissioner of Canada has commissioned a survey that confirms that Canadians are not comfortable with retailers who ask intrusive questions at the check-out:

OTTAWA - More than half of Canadians resist requests for personal information from retailers and nearly as many simply refuse to provide it, according to a survey done for the Office of the Privacy Commissioner.

The Ipsos Reid survey, made public recently on a government website, also found that safety or security concerns are a major impetus for the refusal to give retailers personal information such as name, phone number or postal code.

The survey of 1,000 adult Canadians, conducted last December, was commissioned in part to help the privacy commissioner's office evaluate the need for public education to inform Canadians about their privacy rights during retail transactions.

The survey found 52 per cent of respondents resist retailers' requests for personal information by asking why it is needed, and 45 per cent flatly refuse to provide such information.

Thirteen per cent have deliberately given a store incorrect information when asked for a name, phone number or postal code. Eleven per cent have done the same when registering for commercial online sites.

Anne-Marie Hayden, spokeswoman for the privacy commissioner's office, said it was encouraging that many Canadians are balking at requests for personal information from retailers.

"Personal information is increasingly invaluable in the marketplace," she said. "So we're pleased that consumers are taking charge and questioning requests for their personal information."

Under the Personal Information and Electronic Documents Act, Hayden noted, businesses aren't allowed to collect personal information indiscriminately. Rather, they're supposed to limit the information gathered to what is necessary for the purposes identified by the organization.

Retailers need to be open about why they're asking for personal information, she said.

"If they can't give you a good reason why they need your personal information, don't give it out."

The survey found those who have either refused to give personal information or given incorrect information most often say they did so for reasons related to security and safety.

One in five don't trust the safety of providing such information online, while one in 10 have concerns about identity theft, fraud or computer hackers. Another six per cent mention safety or security issues in general.

A further 28 per cent refrain from providing their personal information because they consider it private or none of the retailer's business.

Others say they refuse because retailers don't need the information or they don't want to be contacted by telemarketers or sent junk mail.

One in three Canadians say they think stores use personal information they gather to compile statistics or demographic information on their customers. Three in 10 think stores sell the information to telemarketers or other companies.

The survey has a margin of error of 3.1 percentage points, plus or minus, 19 times out of 20.

In a report last month, Privacy Commissioner Jennifer Stoddart said many companies ignore "elementary security measures" to protect the personal information they gather. This has led to a growing number of "inexcusable" security breaches, she said.

Last year, the privacy commissioner's office launched an online "e-learning tool" to help retailers bring their privacy practices and policies into line with the law.

Please note that I am only able to provide legal advice to clients of my firm. If you have a privacy matter, please contact me about becoming a client. I am not able to provide free legal advice. Any unsolicited information sent to David Fraser may not be protected by solicitor-client privilege.

The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Due to professional ethics, the author may not be able to comment on matters in which a client has an interest. Nothing herein should be used as a substitute for the advice of competent counsel.

This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.